Security Alerts: OpenBSD, Zope, syslogd, and More

Welcome to the "Security Alerts" column (formerly "Insecurities in a Nutshell") -- an overview of new Unix and open source security-related advisories and news. Problems this week include a remote root exploit of OpenBSD and NetBSD, more temporary file problems in Solaris's patchadd and ksh, local root vulnerabilities in Stunnel, syslogd, and klogd, and new tools for man in the middle attacks.

A remote root exploit has been found in the OpenBSD and NetBSD FTP daemons. It's caused by an obscure one byte buffer overflow in ftpd that can grant root access to a remote attacker under some circumstances. OpenBSD ships with ftpd turned off and the attacker must be able to write to a directory. For these reasons it has been reported that read-only OpenBSD FTP servers are safe from this attack.

This problem impacts OpenBSD versions through versions 2.8 and NetBSD prior to December 14th. FreeBSD has been reported to not be affected. Patches have been released to fix this, and it is recommended that everyone running a vulnerable FTP daemon apply the patch as soon as possible.

Solaris patchadd, the wrapper ksh shell script that Sun uses to apply their system patches has a problem in the way that it uses temporary files.

Because this program is run by root and can be used to change the files permissions, it can allow a malicious user to write whatever data he or she desires to arbitrary files on the system. As of this time Sun has not released an official patch for patchadd.

Until patchadd has been patched, it's suggested that a safe way of applying patches is to either shutdown and then boot the machine into single user mode with boot -s, or change to single user mode with init S and ensure that there are no dangerous files in /tmp before applying the patches.

ksh, the Korn shell, also has a problem with the way it handles temporary files. A script that uses the << syntax can allow a malicious user to write to arbitrary files belonging to the user that is executing the script. Unix distributions that have been reported as being vulnerable include IRIX 6.5.7, HP-UX B.09.00, Tru64 5.0, and Solaris 7. Unix distributions that are reported as having a safe version include Linux, NetBSD, Solaris 8, and HP-UX B.11.00. It is recomended that you check with your vendor for a updated version.

nano is a small text editor that is a clone of the pico editor. When it abnormally exits from a signal, it saves its buffer in a file in the current directory called filename.save (filename is the name of the buffer). It does this without checking it to see if the file exists or is a symbolic link.

This is the same type of problem as those that were reported last week with the editors pico and joe that can lead to a malicious user corrupting files by overwriting them with the contents of nano's buffer. Users should upgrade to a version newer than 0.9.23-1, or 0.9.23-1.1 for PowerPC users.

Zope, a leading open source web application server has a bug that can allow users to gain privileges to objects that they had not been granted permission for. Many vendors have released updates and it is recommended that you upgrade your Zope package to version 2.1.6-5.3 or newer as soon as possible.

Stunnel is a package that provides SSL connections for TCP services, such as pop3 or ldap. Versions prior to 3.8 did not securely create a PID file. As this software is often used to tunnel low TCP/IP ports (which requires root permissions), this would allow an attacker to write to any file on the system.

Versions prior 3.8p4 were also vulnerable to a format string bug. With this vulnerability a user could, through a carefully created string, obtain a shell running as the users that is running Stunnel (usually root). It is recommended that users upgrade to version 3.9 as soon as possible.

Several vulnerabilities exist in the syslogd/klogd logging daemons that can be exploited by local users for a root compromise. By crafting a string with the proper escape codes in it, a malicious user can gain root privileges. There are also several buffer overflows that can be used to send false messages to the console and crash syslogd. It's recomended that users upgrade to sysklogd version 1.4 as soon as possible.

Two new tools for man in the middle attacks against cryptographic connections (sshmitm and webmitm) have been released. sshmitm is used to attack secure shell (SSH) connections, and webmitm is used to attack web based secure socket layer (SSL), connections. They are both part of the dsniff-2.3 package. There are two major areas of vulnerability that these tools exploit.

The first is an attack that substitutes the attacker's keys during the initial connection to a remote server. With SSL you have the protection of a CA (Certificate Authority), signing the key to verify to whom it belongs. With SSH, the user is responsible for verifying the legitimacy of the key.

The second is an attack were the attacker sends you a new host key when you connect to the remote server. With both SSL and SSH, the software will give users a warning message about the key being different or not matching the host. In a way this is a form of a social engineering attack. The only way for it to work is for the user to ignore the warning. If a host key has changed, you should understand why it has changed before you trust it.

I think that the root of this problem is to not assume that any piece of software will be a security panacea. SSH and SSL are useful tools but they will not protect us from ourselves.